Skip to content

[ZT] Terraform Gateway settings #22334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 9, 2025
Merged

[ZT] Terraform Gateway settings #22334

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
04a448e
gateway proxy
ranbel May 9, 2025
bde43d4
tls decryption
ranbel May 9, 2025
2fea7eb
resolver policy
ranbel May 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions src/content/partials/cloudflare-one/gateway/create-resolver-policy.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
{}
---

import { TabItem, Tabs } from "~/components";

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Resolver policies**.
2. Select **Add a policy**.
3. Create an expression for your desired traffic. For example, you can resolve a hostname for an internal service:
Expand All @@ -23,6 +27,48 @@

Custom resolvers are saved to your account for future use. You can add up to 10 IPv4 and 10 IPv6 addresses to a policy.

</TabItem>
<TabItem label="Terraform (v5)">

1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
- `Zero Trust Write`

2. Create a resolver policy using the [`cloudflare_zero_trust_gateway_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy) resource:

```tf
resource "cloudflare_zero_trust_gateway_policy" "resolver_policy" {
name = "Example resolver policy"
enabled = true
account_id = var.cloudflare_account_id
description = "TERRAFORM MANAGED resolver policy"
action = "resolve"
traffic = "dns.fqdn in {\"internal.example.com\"}"
identity = "identity.email in {\"[email protected]\"}"
precedence = 1
rule_settings = {
dns_resolvers = {
# You can add up to 10 IPv4 and 10 IPv6 addresses to a policy.
ipv4 = [{
ip = "192.0.2.24"
port = 53
route_through_private_network = true
vnet_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id
}]
ipv6 = [{
ip = "2001:DB8::"
port = 53
route_through_private_network = true
vnet_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id
}]
}
}
}
```


</TabItem>
</Tabs>

When a user's query matches a resolver policy, Gateway will send the query to your listed resolvers in the following order:

1. Public resolvers
Expand Down
25 changes: 25 additions & 0 deletions src/content/partials/cloudflare-one/gateway/enable-tls-decryption.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,30 @@
{}
---

import { TabItem, Tabs } from "~/components";

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network**.
2. In **Firewall**, turn on **TLS decryption**.

</TabItem>
<TabItem label="Terraform (v5)">

1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
- `Zero Trust Write`

2. Configure the `tls_decrypt` argument in [`cloudflare_zero_trust_gateway_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_settings):

```tf
resource "cloudflare_zero_trust_gateway_settings" "team_name" {
account_id = var.cloudflare_account_id
settings = {
tls_decrypt = {
enabled = true
}
}
}
```
</TabItem>
</Tabs>
10 changes: 10 additions & 0 deletions src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,20 @@

import { Tabs, TabItem } from "~/components";

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

1. Go to **Settings** > **Network**.
2. In **Firewall**, turn on **Proxy**.
3. Select **TCP**.
4. (Recommended) To proxy traffic to internal DNS resolvers, select **UDP**.
5. (Recommended) To proxy traffic for diagnostic tools such as `ping` and `traceroute`, select **ICMP**. You may also need to [update your system](/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors/#ping-and-traceroute-commands-do-not-work) to allow ICMP traffic through `cloudflared`.

</TabItem>
<TabItem label="Terraform (v5)">

Proxy settings are not currently supported by the Terraform v5 provider (as of version 5.3.0). To turn on the Gateway proxy, use the dashboard or API.

</TabItem>
</Tabs>

Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#3-route-private-network-ips-through-warp). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/policies/gateway/proxy/).